In this article we’ll cover the Chrome Group Policy administrative templates (admx), provided by Google, that allow you to centrally manage browser settings in an Active Directory domain. Chrome’s ADMX GPO templates greatly simplifies the deployment and configuration of this browser in a corporate network. Also, we will show several typical tasks of managing Google Chrome settings using GPO and installing browser extensions.
Installing GPO ADMX Templates for Google Chrome
In order to manage Chrome settings through Group Policies, you must download and install a special set of administrative GPO templates
- Download and extract an archive with ADM/ADMX templates of Group Policies for Google Chrome ( http://dl.google.com/dl/edgedl/chrome/policy/policy_templates.zip — the file size is about 13 MB);
- There are 3 directories in the policy_templates:
- chromeos (administrative templates for Chromium);
- common (contains html files with a full description of all Chrome policy settings – see chrome_policy_list.html file);
- windows – contains Chrome policy templates in two formats: ADM and ADMX (admx is a newer administrative policy format, supported starting from Windows Vista / Windows Server 2008 and newer);There is a chrome.reg file in the same directory. It contains an example of Chrome registry settings that can be set via the GPO. You can use examples from this reg file to directly import Chrome settings using Group Policy Preferences).
- Copy the Chrome administrative template files to the
C:WindowsPolicyDefinitionsdirectory (local administrative GPO templates are stored in this directory). In order for the Chrome Group Policy settings to be localized, you need to copy the corresponding ADML template files (folders en-US, de-De, etc…).
Note. If you want to use Chrome policies in the Active Directory domain, you need to copy the ADMX and ADML files to a specific GPO directory (not the best option) or to PolicyDefinitions folder in SYSVOL on the domain controller. - Suppose, we are going to use the ADMX format of the GPO template and domain Central Policy Store. Copy the chrome.admx file and localization directories to the \contoso.comSYSVOLcontoso.comPoliciesPolicyDefinitionsPolicyDefinitions;
- Open the domain Group Policy Management Console (gpmc.msc) and edit any existing GPO(or create a new one). Make sure that a new Google folder containing two subsections (Google Chrome and Google Chrome – Default Settings (users can override)) appeared both in User and Computer sections of Policies -> Administrative Templates;
Tip. If you are not using the Central Store for Group Policies, you can add the GPO template for Google Chrome manually. To do it, right-click Administrative Templates and select Add/Remove Templates. In the next window specify the path to Chrome .adm file. It is better to specify the path in the UNC format, like this: \contoso.comSYSVOLcontoso.locPolicies{60553A6F-2549-4C9E-B522-D3CF668E56B4}Admchrome.adm.
These administrative templates contain about 300+ different Google Chrome settings that you can manage. You can explore them yourself and configure the browser settings that are needed in your environment.
After you have installed the administrative group policy templates for the Google Chrome browser, you can proceed to configure Chrome settings on users’ computers.
Configuring Typical Google Chrome Settings via GPO
Please note that Google Chrome settings are stored in two sections of Group Policy (both in Computer and User Configuration):
- Google Chrome – users (and even the local administrator) cannot change the Chrome settings on their computer specified in this GPO section ;
- Google Chrome – Default Settings (users can override) – recommended browser settings that users can change.
Let’s look at the basic Chrome settings that are often centrally configured in an enterprise environment:
- Set Goggle Chrome as Default Browser: Enabled;
- Set disk cache directory – path to the Chrome disk cache (as a rule it is “${local_app_data}GoogleChromeUser Data”);
- Set disk cache size – disk cache size (in bytes);
- Set Google Chrome Frame user data directory – Chrome directory with user settings “${local_app_data}GoogleChromeUser Data”;
- Managed Bookmarks;
- Disable Chrome auto-update: Allow Installation: Disable, Update Policy Override: Enable and in the Policy field specify Updates Disable;
- Add certain sites to trusted sites list – Policies HTTP Authentication -> Authentication server whitelist;
- Allow Kerberos authentication in Chrome for a specific sites. Add a list of server and site addresses to the policy settings HTTP Authentication -> Kerberos Delegation Server Whitelist and Authentication Server Whitelist;
- Send anonymous usage statistics and crash information: False;
- Use a temporary Chrome profile (data is deleted after the user session ends). Ephemeral profile -> Enabled;
- Block access to a list of URLs: add a list of websites to be blocked;
- Change the location of the download folder: Set download directory: c:tempdownloads.
Note that the ${local_app_data} directory corresponds to the folder %username%AppDataLocal, and ${roaming_app_data} – to %username%AppDataRoaming. A complete list of Chrome policy settings with detailed explanations can be found here https://cloud.google.com/docs/chrome-enterprise/policies/.
Configuring Proxy Server and Home Page with Chrome GPO
Let’s configure a proxy server in Chrome. We are interested in the following policy section: Google Chrome -> Proxy Server.
- proxy server address: ProxyServer – 192.168.123.123:3128
- an exception list for proxy: ProxyBypassList – http://www.contoso.com,192.168.*, *.corp.contoso.com
Set a home page: Google Chrome -> Startup, Home page and New Tab page-> Configure the home page URL: http://contoso.com/
It remains to link the policy to the desired container (OU) of Active Directory. Apply the group policy on a client by running the command:
| gpupdate /force |
Launch Chrome on the client and make sure that the settings specified in the GPO are applied (in the example on the screenshot, the user cannot change the values assigned by the administrator – “This settings is enforced by your administrator”). You can troubleshoot group policy assignment on a desktop computer using gpresult.
And on the settings page, “Your browser is managed by your organization” is displayed.
To display all Google Chrome settings that are set through the GPO, go to the Chrome://policy address (here the parameters specified through the registry or admx GPO template files are displayed).
Deploying Google Chrome Extensions Using Group Policy
You can use ADMX templates to install certain Google Chrome extensions for all domain users. For example, you want to automatically install the AdBlock extension on all computers. Open the chrome://extensions settings page and install the extension you need on your computer.
Now you need to get the extension ID and the URL from which the extension is updated. The Google Chrome Extension ID can be found in the extension properties (Developer mode must be enabled).
By ID, you need to find the extension folder in the user profile C:Users%Username%AppDataLocal GoogleChromeUser DataDefaultExtensions{id_here}.
In the extension folder find and open the manifest.json file and copy the value of the update_url. Most likely, you will see the following URL: https://clients2.google.com/service/update2/crx.
Now, in the GPO editor console, go to the Computer Configuration -> Policies -> Administrative Templates -> Google -> Google Chrome -> Extensions. Enable the policy Configure the list of force-installed extensions.
Click the Show button and add a line for each extension that you want to install. Use the following format:
{extension_id_here};https://clients2.google.com/service/update2/crx
After applying to the user’s computers, all specified Chrome extensions will be installed in silent mode without interaction with the user.
